[organization logo] Commented [EUGDPR1]: All fields in this document marked

by square brackets [ ] must be filled in.

[organization name]

PROJECT PLAN
for Complying with the European General Data Protection
Regulation

Code: Commented [EUGDPR2]: The document coding system should

be in line with the organization's existing system for document
coding; in case such a system is not in place, this line may be
Version: deleted.

Date of version:

Created by:

Approved by:

Confidentiality level:

2017 This template may be used by clients of Advisera Expert Solutions Ltd in accordance with the License Agreement.
[organization name] [confidentiality level]

Change history
Date Version Created by Description of change

dd.mm.yyyy 0.1 EUGDPRAcademy Basic document outline

Table of contents
1. PURPOSE, SCOPE AND USERS ..............................................................................................................3

2. REFERENCE DOCUMENTS ....................................................................................................................3

3. EU GDPR IMPLEMENTATION PROJECT .................................................................................................3

3.1. PROJECT OBJECTIVE .................................................................................................................................... 3

3.2. PROJECT RESULTS ....................................................................................................................................... 3
3.3. DEADLINES ................................................................................................................................................ 5
3.4. PROJECT ORGANIZATION .............................................................................................................................. 5
3.4.1. Project Sponsor ............................................................................................................................. 5
3.4.2. Project Manager ........................................................................................................................... 5
3.4.3. Project Team ................................................................................................................................. 5
3.5. MAIN PROJECT RISKS .................................................................................................................................. 6
3.6. TOOLS FOR PROJECT IMPLEMENTATION, REPORTING ......................................................................................... 6

4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT ...........................................................6

5. VALIDITY AND DOCUMENT MANAGEMENT..........................................................................................7

Project Plan for Complying with the EU GDPR ver [version] from [date] Page 2 of 7

2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement
[organization name] [confidentiality level]

1. Purpose, Scope and Users

The purpose of the Project Plan is to clearly define the objective of the European General Data
Protection Regulation (EU GDPR) implementation project, documents to be written, deadlines, and
roles and responsibilities in the project.

The Project Plan is applied to all activities performed in the EU GDPR implementation project.

Users of this document are members of [top management] and members of the project team.

2. Reference Documents

EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive 95/46/EC)
[relevant national law or regulation for GDPR implementation] Commented [EUGDPR3]: If applicable, insert the name of
relevant national or local data protection requirement.
[other local laws and regulations]
Commented [GDPR4]: If applicable, list other laws and
regulations that are related to data protection and information
security.

3. EU GDPR Implementation Project

3.1. Project Objective

Project objective is to implement the EU GDPR Management System in accordance with the General
Data Protection Regulation (EU GDPR 2016/679) of the European Parliament and of the Council
standard by [date] at the latest.

3.2. Project Results

In order to ensure the most efficient project planning, the Company should use the GDPR Readiness
Questionnaire to determine which areas of GDPR compliance need the most work.

During the EU GDPR implementation project, the following documents (some of which contain
appendices that are not expressly stated here) will be written: Commented [GDPR5]: If a company already has some of these
documents, then they do not need to be listed here.
General Personal Data Protection Policy a policy meant to establish the general data
protection principles as well as to prove the commitment of the company to those principles; For the existing documents make sure you check if they contain all
Employee Data Protection Policy a policy to set out the conditions under which the the necessary elements.

company processes personal data of its employees;

General Data Protection Notice a notice to set out the conditions under which the
company processes personal data of its clients/website visitors;
Register of General Data Protection Notices a document where you need to list all the
published notices;
Data Retention Policy a policy to set out the period for which personal data may be kept by
the company;
Data Protection Officer Job Description a document that describes the responsibilities of
the data protection officer;

Project Plan for Complying with the EU GDPR ver [version] from [date] Page 3 of 7

2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement
[organization name] [confidentiality level]

Guidelines for Processing Activities Inventory a document which explains how to list all
the data processing activities;
Inventory of Processing Activities a document meant to be used by the Company to prove
compliance with the requirements of art. 30 of the EU GDPR;
Data Subject Consent Form - a document used by the Company to obtain consent from the
data subjects for processing personal data for a specific purpose;
Data Subject Consent Withdrawal Form - a document used by the data subjects to withdraw
their consent;
Parental Consent Form - a document used by the Company to obtain consent from the
parent/legal guardian/representative of a minor to process personal data for a specific
purpose;
Parental Consent Withdrawal Form - a document used by the parent/legal
guardian/representative of a minor to withdraw the consent from processing personal data
for a specific purpose;
Data Subject Access Request Procedure a document to set up the process by which the
Company answers to data subjects requests;
Data Protection Impact Assessment Methodology a document that describes how to
assess the necessity and proportionality of a certain processing activity and provide
measures to mitigate potential risks to the rights and freedoms of data subjects;
DPIA Register a document used by the Company to document the DPIA process. It includes
the Threshold questionnaire and the DPIA questionnaire;
Cross Border Data Transfer Procedure a document for establishing the conditions under
which a cross border data transfer may be carried out;
Standard Contractual Clauses model clauses issued by the EU Commission to provide
adequate safeguards with respect to the protection of the privacy and fundamental rights
and freedoms of individuals and as regards the exercise of the corresponding rights.
Processor GDPR Compliance Questionnaire a questionnaire meant to assess suppliers
compliance with EU GDPR;
Supplier Data Processing Agreement a contractual document meant to establish the limits
and conditions under which a supplier (processor) can process personal data on behalf of the
Company (controller);
IT Security Policy describes basic security rules for all employees;
Access Control Policy defines how the management approves the access rights to
particular users of information systems;
Security Procedures for IT Department describes security rules that need to be used for
the IT infrastructure;
Bring Your Own Device (BYOD) Policy describes the rules for using mobile and other non-
company devices for business purposes;
Mobile Device and Teleworking Policy describes security rules for using laptops, mobile
phones and other devices outside of the company premises;
Clear Desk and Clear Screen Policy defines how to protect the information that is located
in the workplace and on computer screens;
Information Classification Policy defines how to classify data according to confidentiality,
and how to protect the data accordingly;
Anonymization and Pseudonymization Policy defines how to use these techniques in order
to protect the personal data processing;
Policy on the Use of Encryption defines how to use cryptographic controls and keys to
protect the confidentiality and integrity of the data;
Disaster Recovery Plan defines how to recover the infrastructure and the data after a
disrupting incident;

Project Plan for Complying with the EU GDPR ver [version] from [date] Page 4 of 7

2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement
[organization name] [confidentiality level]

Internal Audit Procedure defines how to test, assess and evaluate the organizational and
technical safeguards in a company;
Appendix ISO 27001 Internal Audit Checklist provides a series of questions based on 114
controls that are listed in ISO 27001 Annex A;
Data Breach Response and Notification Procedure a procedure that establishes the
Companys obligations in case of a personal data breach;
Data Breach Register Companys internal register of data breaches;
Data Breach Notification to the Supervisory Authority the document to be used in case of
a data breach
Data Breach Notification to the Data Subjects the document to be used in case of a data
breach

3.3. Deadlines

Deadlines for acceptance of individual documents in the course of EU GDPR implementation are as
follows:
Document Deadlines for document
acceptance
* Commented [EUGDPR6]: List here all documents related to
EU GDPR implementation.

You will find the list of all the documents from the EU GDPR
Documentation Toolkit in the List of documents that is in the root
folder of the toolkit.

The documents in the toolkit and in the List of documents are

shown in the suggested sequence of writing the documents. You
may decide to develop them through different steps, however we
consider this particular sequence to be the most efficient.

Final presentation of project results is planned for [date].

3.4. Project Organization

3.4.1. Project Sponsor

Each project has an assigned "sponsor" who does not actively participate in the project. The project Commented [GDPR7]: Usually this is the CEO, general
sponsor must be regularly briefed by the project manager about the project status, and intervene if manager, or management board of the company.

the project is halted.

[name, job title] has been appointed project sponsor. Commented [EUGDPR8]: Ideally, this should be a member of
top management.
3.4.2. Project Manager

The role of the project manager is to ensure resources necessary for project implementation, to Commented [EUGDPR9]: If a company has the Data
coordinate the project, to inform the sponsor of the progress, and to carry out administrative work Protection Officer, this is the best person for the project manager.

related to the project. The project manager's authority should ensure uninterrupted project
implementation within set deadlines. Commented [EUGDPR10]: Usually this is a person responsible
for personal data protection (e.g. Data Protection Officer, IT
[name, job title] has been appointed project manager. Security manager) or for business continuity (e.g. Business
continuity coordinator).

3.4.3. Project Team Commented [EUGDPR11]: In the case of smaller

organizations which need not appoint a project team, this item may
be deleted.
Project Plan for Complying with the EU GDPR ver [version] from [date] Page 5 of 7

2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement
[organization name] [confidentiality level]

The role of the project team is to assist in various aspects of project implementation, to perform
tasks as specified in the project, and to make decisions about various issues that require a
multidisciplinary approach. The project team meets each time before the final version of a document
from section 2 of this Project Plan is completed, and in all other cases when the project manager
deems it necessary.

Table of participants in the project

Name Organizational unit Job title Phone E-mail

3.5. Main Project Risks

The main risks in the implementation of the project are the following: Commented [EUGDPR12]: Modify in line with assessed risks.
1. Extension of deadlines
2. Performing activities that incur unnecessary costs and waste time
3. Shortage or lack of competent employees (e.g. a DPO)

Measures to reduce the above mentioned risks are the following: Commented [EUGDPR13]: Modify in line with experience
The project manager ensures that all activities in the project are performed within defined from previous projects.

deadlines, and seeks intervention by the project sponsor in a timely manner

Hiring a consultant to ensure that time or resources are not spent on activities that are not
important for the project, and that individual activities are not headed in the wrong direction
Contracting a data protection expert to propose the most appropriate activities

3.6. Tools for Project Implementation, Reporting

A shared folder including all documents produced during the project will be created on the local
network. All members of the project team will have access to these documents. Only the project
manager [and members of the project team] will be authorized to make changes and delete files. Commented [EUGDPR14]: Adapt to the organization's
standard project implementation process.

The project manager will prepare a project implementation report on a monthly basis and forward it
to the project sponsor. Commented [EUGDPR15]: To be deleted if considered
unnecessary.

4. Managing Records Kept on the Basis of this Document

Record name Storage location Person Control for record Retention
responsible for protection time
storage
Project Shared folder Project manager Only the project manager The report is
implementation for project- is authorized to edit data stored for a
report (in related period of 3
electronic form) activities years

Project Plan for Complying with the EU GDPR ver [version] from [date] Page 6 of 7

2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement
[organization name] [confidentiality level]

5. Validity and document management

This document is valid as of [date].

Owner of this document is [job title].

[job title]
[name]

_________________________
[signature] Commented [EUGDPR16]: There is no legal obligation to print
the documents, the company needs to have a proof that it has
made the documents available to the relevant employees.

If the company decides to print the document, it can also decide

whether the document needs to be signed or not.

Project Plan for Complying with the EU GDPR ver [version] from [date] Page 7 of 7

2017 This template may be used by clients of Advisera Expert Solutions Ltd. in accordance with the License Agreement